The following table outlines the permissions granted for various AWS resources. It includes multiple AWS services, such as IAM (management of users, groups, and roles), EC2 (virtual servers and networking), S3 (storage), CloudFront, CloudTrail, and others.
| Action | Webservice | Permission | Description |
|---|---|---|---|
| EnableDomainAutoRenew | route53domains | Allow | Automatically renew the specified domain before the domain registration expires Click here to read more… |
| EnableDomainTransferLock | route53domains | Allow | Sets the transfer lock on the domain (specifically the clientTransferProhibited status) to prevent domain transfers Click here to read more… |
| CreateCluster | redshift | Allow | Create an EKS cluster Click here to read more… |
| ModifyCluster | redshift | Allow | Modifies the number of steps that can be executed concurrently for the cluster specified using ClusterID Click here to read more… |
| CreateTrail | cloudtrail | Allow | Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket Click here to read more… |
| PutEventSelectors | cloudtrail | Allow | Configures event selectors or advanced event selectors for your trail Click here to read more… |
| UpdateTrail | cloudtrail | Allow | Updates trail settings that control what events you are logging, and how to handle log files Click here to read more… |
| StartLogging | cloudtrail | Allow | Starts the recording of AWS API calls and log file delivery for a trail Click here to read more… |
| SetQueueAttributes | SQS | Allow | Sets the value of one or more queue attributes, like a policy Click here to read more… |
| PutMetricFilter | Logs | Allow | Creates or updates a metric filter and associates it with the specified log group Click here to read more… |
| CreateLogGroup | Logs | Allow | Creates a log group with the specified name Click here to read more… |
| UpdateDistribution | Cloudfront | Allow | Updates the configuration for a CloudFront distribution Click here to read more… |
| CreateTopic | SNS | Allow | Creates a topic to which notifications can be published Click here to read more… |
| Subscribe | SNS | Allow | Subscribes an endpoint to an Amazon SNS topic Click here to read more… |
| CreateLoadBalancerPolicy | Elasticloadbalancing | Allow | Creates a policy with the specified attributes for the specified load balancer Click here to read more… |
| SetLoadBalancerPoliciesOfListener | Elasticloadbalancing | Allow | Replaces the current set of policies for the specified load balancer port with the specified set of policies Click here to read more… |
| CreateLoadBalancerListeners | elasticloadbalancing | Allow | Creates one or more listeners for the specified load balancer Click here to read more… |
| ModifyLoadBalancerAttributes | Elasticloadbalancing | Allow | Modifies the attributes of the specified load balancer Click here to read more… |
| UpdateCertificateOptions | acm | Allow | Updates a certificate Click here to read more… |
| DeleteCertificate | acm | Allow | Deletes a certificate and its associated private key. Click here to read more… |
| ImportCertificate | acm | Allow | Imports a certificate into AWS Certificate Manager (ACM) to use with services Click here to read more… |
| RemoveUserFromGroup | IAM | Allow | Removes the specified user from the specified group. Click here to read more… |
| UpdateAccessKey | IAM | Allow | Changes the status of the specified access key from Active to Inactive, or vice versa. Click here to read more… |
| DetachUserPolicy | IAM | Allow | Removes the specified policy from the specified user. Click here to read more… |
| DeletePolicy | IAM | Allow | Deletes the specified policy. Click here to read more… |
| PutRolePolicy | IAM | Allow | Adds or updates an inline policy document Click here to read more… |
| DeleteUser | IAM | Allow | Deletes the specified user from the group Click here to read more… |
| DetachGroupPolicy | IAM | Allow | Removes the specified policy from the specified group Click here to read more… |
| DeletePolicyVersion | IAM | Allow | Deletes the specified version from the specified policy Click here to read more… |
| DeleteRolePolicy | IAM | Allow | Deletes the specified inline policy that is embedded in the specified role. Click here to read more… |
| CreateLoginProfile | IAM | Allow | Creates a password for the specified IAM user. Click here to read more… |
| UpdateUser | IAM | Allow | Updates the name and/or the path of the specified user Click here to read more… |
| DeleteLoginProfile | IAM | Allow | Deletes the password for the specified user Click here to read more… |
| PutUserPolicy | IAM | Allow | Adds or updates an inline policy document that is embedded in the specified user. Click here to read more… |
| DetachRolePolicy | IAM | Allow | Removes the specified policy from the specified role. Click here to read more… |
| CreateVirtualMfaDevice | IAM | Allow | Creates a new virtual MFA device for the AWS account. Click here to read more… |
| EnableMfaDevice | IAM | Allow | Enables the specified MFA device and associates it with the specified user. Click here to read more… |
| CreatePolicy | IAM | Allow | Creates a new policy for your AWS account. Click here to read more… |
| UpdateAccountPasswordPolicy | IAM | Allow | Updates the password policy settings for the AWS account Click here to read more… |
| CreateRole | IAM | Allow | Creates a new role for your AWS account. Click here to read more… |
| AddUserToGroup | IAM | Allow | Adds the specified user to the specified group. Click here to read more… |
| DeleteAccessKey | IAM | Allow | Deletes the access key pair associated with the specified user. Click here to read more… |
| AttachUserPolicy | IAM | Allow | Attaches the specified policy to the specified user. Click here to read more… |
| CreatePolicyVersion | IAM | Allow | Creates a new version of the specified policy |
| PutGroupPolicy | IAM | Allow | Adds or updates an inline policy document that is embedded in the specified group. Click here to read more… |
| DeleteRole | IAM | Allow | Deletes the specified role Click here to read more… |
| UpdateLoginProfile | IAM | Allow | Changes the password for the specified user. Click here to read more… |
| DeleteGroupPolicy | IAM | Allow | Deletes the specified inline policy that is embedded in the specified IAM group Click here to read more… |
| RemoveRoleFromInstanceProfile | IAM | Allow | Removes the specified role from the specified Amazon EC2 instance profile Click here to read more… |
| CreateAccessKey | IAM | Allow | Creates a new AWS secret access key and corresponding AWS access key ID for the specified user Click here to read more… |
| AttachGroupPolicy | IAM | Allow | Attaches the specified managed policy to the specified group Click here to read more… |
| DeleteGroup | IAM | Allow | Deletes the specified group Click here to read more… |
| DeleteUserPolicy | IAM | Allow | Deletes the specified inline policy that is embedded in the specified user Click here to read more… |
| AttachRolePolicy | IAM | Allow | Attaches the specified managed policy to the specified IAM role |
| CreateDBSnapshot | RDS | Allow | Creates a snapshot of a DB instance. Click here to read more… |
| CopyDBSnapshot | RDS | Allow | Copies the specified DB snapshot Click here to read more… |
| RestoreDBInstanceFromDBSnapshot | RDS | Allow | Creates a new DB instance from a DB snapshot Click here to read more… |
| DeleteDBInstance | RDS | Allow | Deletes a previously provisioned DB instance. Click here to read more… |
| ModifyDBInstance | RDS | Allow | Modifies settings for a DB instance. Click here to read more… |
| StartConfigurationRecorder | Config | Allow | Starts the customer managed configuration recorder Click here to read more… |
| PutConfigurationRecorder | Config | Allow | Creates or updates the customer managed configuration recorder Click here to read more… |
| PutDeliveryChannel | Config | Allow | Creates or updates a delivery channel to deliver configuration information and other compliance information Click here to read more |
| UpdateTerminationProtection | Cloudformation | Allow | Updates termination protection for the specified stack Click here to read more |
| EnableAlarmActions | CloudWatch | Allow | Enables the actions for the specified alarms Click here to read more… |
| PutMetricAlarm | CloudWatch | Allow | Creates or updates an alarm and associates it with the specified metric, metric math expression, anomaly detection model, or Metrics Insights query Click here to read more… |
| ResetImageAttribute | EC2 | Allow | Resets an attribute of an AMI to its default value Click here to read more… |
| CreateVolume | EC2 | Allow | Creates an EBS volume that can be attached to an instance in the same Availability Zone Click here to read more… |
| DisassociateAddress | EC2 | Allow | Disassociates an Elastic IP address from the instance or network interface it’s associated with Click here to read more… |
| ModifyInstanceMaintenanceOptions | EC2 | Allow | Modifies the recovery behavior of your instance to disable simplified automatic recovery or set the recovery behavior to default Click here to read more… |
| RunInstances | EC2 | Allow | Launches the specified number of instances using an AMI for which you have permissions. Click here to read more… |
| AuthorizeSecurityGroupEgress | EC2 | Allow | Adds the specified outbound (egress) rules to a security group Click here to read more… |
| CopySnapshot | EC2 | Allow | Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. Click here to read more… |
| ModifySnapshotAttribute | EC2 | Allow | Adds or removes permission settings for the specified snapshot. Click here to read more… |
| RevokeSecurityGroupEgress | EC2 | Allow | Removes the specified outbound (egress) rules from the specified security group. Click here to read more… |
| AuthorizeSecurityGroupIngress | EC2 | Allow | Adds the specified inbound (ingress) rules to a security group. Click here to read more… |
| MonitorInstances | EC2 | Allow | Enables detailed monitoring for a running instance Click here to read more… |
| DeleteNetworkAcl | EC2 | Allow | Deletes the specified network ACL Click here to read more… |
| RevokeSecurityGroupIngress | EC2 | Allow | Removes the specified inbound (ingress) rules from a security group Click here to read more… |
| ModifyInstanceAttribute | EC2 | Allow | Modifies the specified attribute of the specified instance. Click here to read more… |
| DeleteSecurityGroup | EC2 | Allow | If you attempt to delete a security group that is associated with an instance or network interface, is referenced by another security group in the same VPC, or has a VPC association, the operation fails with DependencyViolation Click here to read more… |
| ModifyImageAttribute | EC2 | Allow | Modifies the specified attribute of the specified AMI. Click here to read more… |
| CreateSnapshot | EC2 | Allow | Creates crash-consistent snapshots of multiple EBS volumes attached to an Amazon EC2 instance. Click here to read more… |
| DetachVolume | EC2 | Allow | Detaches an EBS (Elastic Block Store) volume from an instance Click here to read more… |
| CreateRoute | EC2 | Allow | Creates a route in a route table within a VPC Click here to read more… |
| CreateFlowLogs | EC2 | Allow | Creates one or more flow logs to capture information about IP traffic for a specific network interface, subnet, or VPC Click here to read more… |
| CreateFlowLogs | EC2 | Allow | Creates one or more flow logs to capture information about IP traffic for a specific network interface, subnet, or VPC Click here to read more… |
| StartInstances | EC2 | Allow | Starts an Amazon EBS-backed instance that you’ve previously stopped Click here to read more… |
| ModifySecurityGroupRules | EC2 | Allow | Modifies the rules of a security group. Click here to read more… |
| CreateImage | EC2 | Allow | Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped. Click here to read more… |
| DeleteRoute | EC2 | Allow | Deletes the specified route from the specified route table Click here to read more… |
| TerminateInstances | EC2 | Allow | Shuts down the specified instances. Click here to read more… |
| DeleteSnapshot | EC2 | Allow | Deletes the specified snapshot Click here to read more… |
| AttachVolume | EC2 | Allow | Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name Click here to read more… |
| StopInstances | EC2 | Allow | Stops an Amazon EBS-backed instance. Click here to read more… |
| DeregisterImage | EC2 | Allow | Deregisters the specified AMI. After you deregister an AMI, it can’t be used to launch new instances. Click here to read more… |
| CreateSecurityGroup | EC2 | Allow | A security group acts as a virtual firewall for your instance to control inbound and outbound traffic Click here to read more… |
| CreateBucket | S3 | Allow | This action creates an Amazon S3 bucket Click here to read more… |
| PutBucketPublicAccessBlock | S3 | Allow | Creates or modifies the PublicAccessBlock configuration for an Amazon S3 bucket Click here to read more… |
| PutBucketPolicy | S3 | Allow | Applies an Amazon S3 bucket policy to an Amazon S3 bucket Click here to read more… |
| PutEncryptionConfiguration | S3 | Allow | This operation configures default encryption and Amazon S3 Bucket Keys for an existing bucket. Click here to read more… |
| PutBucketLogging | S3 | Allow | Set the logging parameters for a bucket and to specify permissions for who can view and modify the logging parameters Click here to read more… |
| PutBucketVersioning | S3 | Allow | Sets the versioning state of an existing bucket. Click here to read more… |
| ModifyListener | elasticloadbalancing | Allow | Replaces the specified properties of the specified listener Click here to read more… |
| CreateListener | elasticloadbalancing | Allow | Creates a listener for the specified Application Load Balancer, Network Load Balancer, or Gateway Load Balancer Click here to read more… |
